integrating access control design into the software development process
DESCRIPTION
Integrating Access Control Design into the Software Development Process. G. Brose ( Xtradyne AG ) M. Koch, P.Löhr ( FU Berlin ) IDPT‘02, June 2002. Overview. Motivation View-based Access Control Integrating Access Control in UML security analysis security design - PowerPoint PPT PresentationTRANSCRIPT
Integrating Access Control Design into the Software Development
Process
G. Brose (Xtradyne AG)
M. Koch, P.Löhr (FU Berlin)
IDPT‘02, June 2002
Overview
Motivation View-based Access Control Integrating Access Control in UML
– security analysis– security design
Generation of the Access Control Policy specification
Conclusion
Motivation
Security aspects are inherent in any modern software system
But: Security is not a part in the development process Why ?:
– security requirements are difficult to analyze and model– system engineers are not security experts
Problems: – Unsatisfied security requirements – Integration difficulties
Our approach - Aims
Systematic support for software engineers who need to produce secure software
Integration into the software development process with UML
How ? – Use of existing UML model elements – Security design with UML tools– No security expert knowledge neccessary – UML design for the generation of security specifications
Our approach – What we have done
Integration of view based access control policy design into the software development process with UML
Generation of the access control specification from the UML design model to configure a CORBA-based infrastructure (Raccoon)
View-based Access Control
Design and management of access control policies in object-oriented systems
Extension of role-based access control by views
View is a set of access rights Views are specified in the View Policy
Language (VPL)
View Policy Language (VPL)
IDL: VPL:
interface Paper { view Reading controls Paper { void read(out string s); allow read; } void write(in string s); void append(in string s); view Writing: Reading void correct(in string s); restricted_to Author { void submit(): allow }; write; append; }
view Submit controls Paper { allow submit; }
View Policy Language
policy Conference { view Reading {...} view Writing {...} view Submit {...}
roles Chair;
Reviewer; Author;
}
Integrating Access Control – Overview
VPLVPLIDLIDL
IDLIDL
functional requirements
functionaldesign
security design
+
+
security requirements+
generation
Integrating Access Control
Security Requirements
Security analysis
Functional requirements are expresed in use cases
Security requirements are added to the use case models
Access control information is inherent in functional system requirements and facilitates the integration
Example: Digital Calendar
Actors and Role Identification
UML actor: – a coherent set of specific behaviors that users of an
entity have when interacting with an entity.
VBAC role:– sets of functions that an individual user has as part
of an organization
VBAC role = UML Actor
Actors and Role Identification
RoleCalendar owner
RoleOther
RoleSecretary
Identification of use case accesses
Extracting accesses from the informal use case descriptions
Attaching notes to communication associations in the use case diagram– allowed and denied accesses– high-level and informal
Analyst considers and expresses security aspects already in the analysis phase
Identification of use case accesses
edit entry: The calendar owner can read his/her entriesand modify them. Modifications may cover the time,the day, and the room. The secretary of the calendar ownercan read the calendar entries and make the calendarmodifications, too.
update room: A secretary books a room on behalf of the calendar owner. The calendar owner is not allowed to booka room by her-/himself.
Identification of use case accesses
<<deny>>
Security analysis - summary
UML Actors = VBAC Roles Modeling of denied communications in use
cases Making implicit access information in natural
use case description explicit in notes
Integrating Access Control
Security Design
Security Design
Starting point is the use case diagram
Class diagram (for CORBA interfaces)
View Diagram – views on CORBA interfaces
Security Design
View Diagram
Notes in use case diagrams are the starting point for view definition
View Diagram
For each note N:– View V(N,I) = all access rights with respect to
interface I– access rights are permissions to access the
operation– <<deny>> association defines a view with denials
View diagram contains all views for one interface
View diagram is drawn “like“ a class diagram
View Diagram
roles to which the viewcan be assigned
View Diagram
View Diagram
RoomBooking
Secretary
bookcancel
NoRoomBooking
CalendarOwner
_cancel_book
IDL:Room
denials
View Diagram
Explicit representation of views and assignment to roles
Designer can check the assignment and detect too powerful roles
VPL Generation
UML CASE Tool
XMI export XMLXML
PolicyServerPolicyServer
RoleServerRole
Server
VPLVPLXSLT
RACCOON
VPL Generation
policy Calendar { roles Other Secretary: Other CalendarOwner: Secretary}
UML VPL
VPL Generation
UML VPL
View RoomBooking controls Room restricted to Secretary{ allow book cancel}
RoomBooking
Secretary
bookcancel
NoRoomBooking
CalendarOwner
_cancel_book
IDL:Room
VPL Generation
RoomBooking
Secretary
bookcancel
NoRoomBooking
CalendarOwner
_cancel_book
IDL:Room
UML VPL
View RoomBooking controls Room restricted to Secretary{ deny book cancel}
Conclusion
Systematic approach to integrate access control policy design into the devlopment process with UML
Security requirments are considered early UML model is used to genarte the VPL UML tools can be used No security expert knowledge necessary
Weitere Folien
Access Control
Preventing unauthorized access to resources Authorized accesses are specified in access control
policies Security models are ...
– discretionary access control (e.g., Access Contol List)– mandatory access control (e.g. lattice-based access control)– role-based access control– view-based access control– ....
View Policy Language
Object/Type
Role/Subject
o:Paper Paper
Author Reading
Reviewer
Jack Writing,Submit
Access Control Matrix
Client Serveraccess_object()
Object
allow/deny access?
Roles
DomainDomain PolicyPolicy
Role Mgmt. Domain Mgmt. Policy Mgmt.
Role Server
Policy Server
DomainServer
Raccoon - Architecture
Raccoon
VPLVPL
Development
IDLIDL
IDLIDL RACCOON
Deployment
management infrastructure
Actors and Role Identification
UML role: – „named specific behavior of an entity participating in
a particular context“– modeled by named association ends
UML actor: – „a coherent set of roles that users of an entity can
play when interacting with an entity. An actor has one role for each use case with which it communicates“
Role Diagram
Access Control roles and specialization of roles
Actors of the use cas diagram
Other
Secretary
CalendarOwner
Forbidden Use Cases
Specification of possible, but unallowed use case accesses
Documentation of unauthorized accesses
Stereotype <<deny>> for denied communication associations
Forbidden Use Cases
<<deny>>
Security design - summary
View Diagrams are based on informal accesses in the notes of use cases
Role Diagram is based on the actors in use case diagrams